Hackers Exploiting Three Microsoft Office Flaws to Spread Zyklon Malware

Discussion in 'General Chat' started by hacker7, Jan 19, 2018.

  1. hacker7

    hacker7 is a Trusted Warez Posterhacker7 @Shakrah Staff Member Super Moderator DEV Guild

    Joined:
    Dec 2, 2017
    Messages:
    4,361
    Likes Received:
    94,859
    [​IMG]

    Security researchers have spotted a new malware campaign in the wild that spreads an advanced botnet malware by leveraging at least three recently disclosed vulnerabilities in Microsoft Office.

    Dubbed Zyklon, the fully-featured malware has resurfaced after almost two years and primarily found targeting telecommunications, insurance and financial services.

    Active since early 2016, Zyklon is an HTTP botnet malware that communicates with its command-and-control servers over Tor anonymising network and allows attackers to remotely steal keylogs, sensitive data, like passwords stored in web browsers and email clients.

    Zyklon malware is also capable of executing additional plugins, including secretly using infected systems for DDoS attacks and cryptocurrency mining.


    Different versions of the Zyklon malware has previously been found being advertised on a popular underground marketplace for $75 (normal build) and $125 ( Tor-enabled build).

    Once opened, the malicious doc file equipped with one of these vulnerabilities immediately runs a PowerShell script, which eventually downloads the final payload, i.e., Zyklon HTTP malware, onto the infected computer.
    "In all these techniques, the same domain is used to download the next level payload (Pause.ps1), which is another PowerShell script that is Base64 encoded," the FireEye researchers said."The Pause.ps1 script is responsible for resolving the APIs required for code injection. It also contains the injectable shellcode.""The injected code is responsible for downloading the final payload from the server. The final stage payload is a PE executable compiled with .Net framework."Interestingly, the PowerShell script connects to a dotless IP address (example: http://3627732942) to download the final payload.

    What is Dotless IP Address? If you are unaware, dotless IP addresses, sometimes referred as 'Decimal Address,' are decimal values of IPv4 addresses (represented as dotted-quad notation). Almost all modern web browsers resolve decimal IP address to its equivalent IPV4 address when opened with "http://" following the decimal value.

    For example, Google's IP address 216.58.207.206 can also be represented as http://3627732942 in decimal values (Try this online converter).

    The best way to protect yourself and your organisation from such malware attacks are always to be suspicious of any uninvited document sent via an email and never click on links inside those documents unless adequately verifying the source.

    Most importantly, always keep your software and systems up-to-date, as threat actors incorporate recently discovered, but patched, vulnerabilities in popular software—Microsoft Office, in this case—to increase the potential for successful infections.

    Source

    Enjoy not being paranoid, while it last! :D
     
  2. draww

    draww is a Trusted Warez Posterdraww Super Moderator Staff Member Super Moderator DEV Guild Reverser

    Joined:
    Aug 22, 2008
    Messages:
    1,885
    Likes Received:
    43,945
    the online decimal IPv4 converter is missing in the article

    but this can be used
    Code:
    https://www.ipaddressguide.com/ip
    there is also an IPv6 converter
    Code:
    https://www.ipaddressguide.com/ipv6-to-decimal
     
  3. hacker7

    hacker7 is a Trusted Warez Posterhacker7 @Shakrah Staff Member Super Moderator DEV Guild

    Joined:
    Dec 2, 2017
    Messages:
    4,361
    Likes Received:
    94,859
    Undetectable CrossRAT malware targets Windows, MacOS, and Linux systems

    [​IMG]


    Source
     
    draww and Challenger like this.
  4. hacker7

    hacker7 is a Trusted Warez Posterhacker7 @Shakrah Staff Member Super Moderator DEV Guild

    Joined:
    Dec 2, 2017
    Messages:
    4,361
    Likes Received:
    94,859
    draww likes this.